Researchers find new speculative execution vulnerabilities in Intel CPUs – Computer – News

Researchers have again found a leak in it speculative executionportion of Intel CPUs. The bug is named CacheOut. The research was prompted by earlier chip vulnerabilities, but now it was possible to search specifically for leaked buffer data.

The leak was investigated by scientists from the University of Michigan and the University of Adelaide. They elaborate on earlier research by the VUSec department of the VU University in Amsterdam, which leak earlier such as Meltdown and Specter, and earlier this year RIDL discovered. The same VUSec researchers also played a role in this study. The new vulnerability is called CacheOut, because it pushes data out of the cache so that it can be read.

The vulnerability is in speculative execution, a feature in Intel CPUs that performs certain calculations before they are needed. Because of that trick, the CPUs often get faster. However, speculative execution also leaks out certain calculations to the buffer cache. Researchers have already shown that it was possible to read out the leaked data from the cache. CacheOut is a new way to listen to the cache. The researchers show that it is possible to drain data from the kernel of the operating system, from virtual machines on the system, and even from the Security Guard Extensions in the secure enclave of a chip. That is a feature for Intel chips that allows third parties to put their software in the standard secure enclave can turn.

Striking about the vulnerability is that it goes a bit further than Specter and Meltdown, and RIDL. The new bug manages to circumvent the mitigations that Intel set up for the first one. Intel had a different mitigation for the RIDL attacks, in which the leaked buffer data was overwritten by random content, so that it was no longer possible to find out what was originally there. However, the researchers have now discovered a way to move data from the L1-D cache to another buffer, from which they can then retrieve the data. It is also striking that the leak makes it possible to identify specific output and not just random ones, as was the case with RIDL. As evidence, the researchers retrieved an AES key from the cache.

The bugs are only in Intel CPUs. AMD chips are not vulnerable, according to the researchers, because they do not use Transactional Synchronization Extensions, as Intel does. The researchers coordinated the research with Intel. The company has since released an update for the microcode for the CPUs, and given mitigation tips. However, because it is a hardware vulnerability, it cannot be fully resolved.

–